Classification- TOP SECRET//SI//REL TO USA, CAN, GBR 


Classification: TOP SECRET//SI//REL 1 


Here, we should discuss the following: 

1. what we're currently doing with our equity in operational scenarios - encryption, in-memory only, choosing 
lower equity(already patched vulns, vulns we have several backups of) 

2. Our end goal of how our equity should be used 

3. How we will achieve #2 

Ideas 

• Bootstrap derives key then decrypts implant: 

• Generate key material from device-specific information 

• UID key requires kernel patch :( 

• 0x835 key requires to be _securityd (0x40) user (so far we fail at this) 

• How about 0x89A, 0x89B keys? 

• Effaceable Storage 

• might require com. apple. keystore. device entitlement. Also, don't 
attempt to write/format to effaceable storage - 1 bricked a device 
this way :( 

• EMF key used for filesystem key is derived from key 0x89B - can 
be read by reading the LWVM locker(0x4C77564d) in 
EffaceableStorage - see iphonedataprotection project for how get 
this. 

• System Keybag 

• partition GUID from Iwvm header - requires com. apple. private. security. disk- 
device-access entitlement. OR use ioreg code to get the UUID entry for a given 
partition. 

• int fd = open('/dev/diskO', 0_RD0NLY); 

• read(fd, buf, 4096); 

• buf [0x1 0:0x20] == LVWM device GUID 

• close(fd); 

• activation records 

• Store "master" key in NVRAM, never on disk 

• NVRAM can be seen when tethered to a device via a mdf diag command 

• Store key in NVRAM that is only valid for the next boot 

• Wrap other keys with master key, stored in NVRAM 

• Use resource forks, hard link info hidden path(something like '/0/0/Apple HFS Data') 


• Bootstrap provides runtime services to implant via mach messages: 

• Key (Un)wrap 

• In memory bundle injection with bidirectional mach port allocation 

• Covert storage 

• Uninstall 
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